Obtaining The Primary Email Address Of Any Facebook User

July 9th, 2013

Given only their ID, it was possible to obtain the primary email address of any Facebook user regardless of their privacy settings.

Anyone who has subscribed to a public mailing list knows the problem of members inviting their entire contacts list, including the mailing list, to every new social site and app. This has turned mailing list archives into a Wayback Machine for email notifications. Searching through some old mailing lists I came across a Facebook invitation reminder circa 2010:

Clicking on the link in the email, a sign up page filled in with the list’s address and the name of a person who used the link to sign up for an account was displayed:

Changing the re parameter did nothing; however, changing parts of the mid parameter resulted in other addresses being displayed. Taking a closer at the parameter, its value was actually a string of values with “G” acting as a delimiter:

59b63a G 5af3107aba69 G 0 G 46

Only the second value was important. The value was an ID associated with the address that the invitation was sent to in hex. A Facebook user’s numerical ID could be put as this value and their primary email address would be displayed. A user’s numerical ID is considered public information and can be obtained from the source of their profile or through the Graph API.

Disclosure

This issue was reported to Facebook on March 22nd and was fixed within 24 hours. A bounty of $3,500 was rewarded as part of their Bug Bounty program.

This has got me steaming. $3500 for bringing this to their attention? What a bunch of arrogant jerks. Or else somebody dropped the ball. Mr. Scalafani could have sold this info for a ton of money and wreaked havoc on FB. It is absolutely irrelevant whether or not it was something that “requires so little knowledge” or not. WHO ELSE FIGURED THIS OUT?! You should have been awarded a home, car and servants, Mr. Scalafani.

Ken C

He was clearly giving a complement, you need to tune your defensive tone down a bit.